ACO DisableDNSLookup behavior clarification and details in Web Agent
search cancel

ACO DisableDNSLookup behavior clarification and details in Web Agent

book

Article ID: 11079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Questions about the behavior of the ACO parameter DisableDNSLookup:

  1. With DisableDNSLookup set to NO, does the Web Agent do a Reverse DNS Lookup when it receives a request with an IP Address instead of a Fully Qualified Domain Name in the URL?
  2. When DisableDNSLookup is set to NO, how does the Web Agent do the reverse DNS Lookup?
  3. Does DisableDNSLookup disable forward DNS Lookup too, as requesting the IP Address from the FQDN?

Resolution

 

  1. Yes, it does.

    And this is to prevent the behavior that the DisableDNSLookup=YES will disable these reverse DNS requests.

    Web Agent logs and network traces show this:

    DisableDNSLookup=NO 

    [05/30/2014][05:35:51][22507][1143875904][CSmHttpPlugin.cpp:345][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved HTTP_HOST: '10.0.0.1'.] 

    [05/30/2014][05:35:51][22507][1143875904][CSmHttpPlugin.cpp:3772][Entered CSmHttpPlugin:: ResolveFQServerName sHost: ][][][][][][][10.0.0.1]

    [05/30/2014][05:35:51][22507][1143875904][CSmHttpPlugin.cpp:426][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved hostname: '_host.example.com'.] 

    372 8.522751 10.0.0.1 10.0.0.2
    DNS Standard query PTR 1.0.0.10.in-addr.arpa
    688 15.368671 10.0.0.2 10.0.0.1
    DNS Standard query response PTR _host.example.com

    DisableDNSLookup=YES

    [05/30/2014][05:39:37][22617][1124198720][CSmHttpPlugin.cpp:345][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved HTTP_HOST: '10.0.0.1'.]

    [05/30/2014][05:39:37][22617][1124198720][CSmHttpPlugin.cpp:3772][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][10.0.0.1]

    [05/30/2014][05:39:37][22617][1124198720][CSmHttpPlugin.cpp:3848][CSmHttpPlugin::ResolveFQServerName: isIP][][][][][][][10.0.0.1] 

    [05/30/2014][05:39:37][22617][1124198720][CSmHttpPlugin.cpp:3967][CSmHttpPlugin::ResolveFQServerName, DNSLookups disabled, checking to see if cookiedomain added!][][][][][][][10.0.0.1]

    [05/30/2014][05:39:37][22617][1124198720][CSmHttpPlugin.cpp:426][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved hostname: '10.0.0.1'.] 

    and no request in the network traces.

  2. Name and Addresses resolutions are done using the POSIX API:

    getaddrinfo() : to resolve IP Address from a FQDN
    getnameinfo() : to resolve FQDN from an IP Address

  3. Yes, it disables forward DNS lookup (Hostname to IP address) too.